Computer Security Incident Response Policy
Every organization has, or claims to have, a security policy that embraces all security aspects, ranging from locks on doors to backups, passwords, firewalls, encryption, security incidents, and more. This article discusses only those aspects of best practices that apply to the security incidents at an organization's customer sites.
The computer security incident response policy (CSIRP) should be an integral part of the organization's overall security policy. CSIRP primarily addresses the responsibilities of the CSIRT and VCSIRT in the organization's infrastructure. It should also address the following items in regard to a security incident:
Preparing and planning for handling an incident
Setting of clear priorities
Notifying of an incident
Identifying an incident
Handling of an incident
Executing of a response to an incident
Determining of the implications of past incidents
Recording and preserving the analysis of past incidents and learned lessons
The primary benefits of defining and maintaining an SIRP are:
Recovery from loss or potential loss
Resource optimization within the organization, its customer, partners, or vendors, including suppliers
Protection of classified, sensitive, or proprietary information that belongs to the organization, its customer, partners, or vendors, including suppliers
Management of public relations under a security crisis that could affect the organization, its parent enterprise, its customer, partners, or vendors, including suppliers
Prevention of legal actions against the organization and its parent enterprise
While developing the policy, it is important to keep in perspective the information security principles defined by the International Information Security Foundation as best practices (for more information, see the GASSP entry in "References" on page page 23).
Scope of the Policy
Developing and defining the scope of the policy requires careful analysis with risks and responsibilities taken into account. This section provides a specific example of how the scope can be defined for an organization's CSIRP. It is important to note that the rest of this article, and the next article, addresses the essential policy aspects within this scope.
The policy typically applies to the use of enterprise-owned, hosted, rented, or leased computers or computer-based equipment, network equipment, operating systems, and application software, which compose the organization's processing environment. The policy also applies to the organization's or its parent enterprise's entire family of products and services at the customer site. Further, the policy applies to the organization's, its vendors', and partner's facilities and systems in customer's facilities that are owned or managed by the enterprise, its vendors, suppliers, or partners. The following entities and users should be covered by this policy:
Full or part-time employees and contractors within the enterprise who use or access data, systems, or networks
Vendors who are authorized to use enterprise-owned equipment, systems, applications, or facilities
Authorized persons, entities, or customers who have access to the organization's or enterprise's services, facilities, systems, or applications
External partners that must support audit mechanisms, in compliance with the organization's or third-party agreements and legal, regulatory, or fiduciary mandates
Security Incident Response Policy Goals
The goals of the SIRP for the organization are as follows:
Research how an incident happened
Investigate the root cause
Assure integrity of critical systems
Maintain and restore data
Maintain and restore services
Take corrective action
Improve the policy and processes
Avoid negative publicity
This is to learn how the intrusion happened, what components were affected, and what damage, if any, was caused.
To understand the root cause, involvement by more than one organization or business enterprise could be needed. Understanding the root cause could prevent future compromises.
The critical systems for the enterprise are the organization's computing systems and all of the network equipment associated with the enterprise's WAN, as well as customer systems running hardware and software supported by an enterprise's organization.
Data availability is essential, so if data is stolen or corrupted intentionally, it needs to be restored as quickly as possible, while preserving any data that may be considered evidence.
The services of the organization depend on the various computer-based or computer systems and networking components. These need to be brought back online if they are shut down or not completely functional.
Taking corrective action ensures that the potential for recurrence is eliminated.
To avoid future incidents, the policy and processes must be continually improved with analysis and learned lessons from past incidents.
The appropriate enterprise resources (for example, the enterprise's legal or public relations department) should be consulted as necessary.
Breach of Policy and Enforcement
A breach of the SIRP could affect an organization's ability to prepare for and to track security compromises, penetrations, and attacks. Any person who causes the failure, disruption, or destruction of the procedures, guidelines, data, or evidence should be subject to disciplinary action at the discretion of the organization's and the enterprise's management.
Local laws and regulations differ from country to country. Therefore, CSIRTs need to be aware of the constantly changing legal framework of the environment in which they operate, and they must adapt accordingly. Before enforcement, a CSIRT should ensure that it limits its legal exposure by clearly declaring within its charter what its purpose, goals, and scope, are and what it is and is not purporting to do. Appropriate legal advisors need to review the charter and all of the procedures in use by the incident response teams.